In my last post, I talked about the difference between cloud management and cloud governance. In a nutshell, cloud governance defines the structure within which those who have the day-to-day responsibility for managing the environment must operate. If you missed that post, you can access it here: Cloud Governance vs. Cloud Management.
In this post, we’ll take a look at how TRiA, the cloud management platform many of our customers use to manage their multi-cloud IT environments, can help improve cloud governance. Compliance is only one of many concepts covered under governance, but we’ll use it as an example since it’s one faced by almost every organization these days.
TRiA comes with standard governance checks, or what we call “compliance packs” built into the system. We cover the most common ones, plus a few additional checks that are vital for our customers including PCI DSS, HIPAA, GDPR, SOC 2, ISO 27001, CIS, NIST CIF, NIST 800-53, FedRAMP CCM, and CSA CCM. Other compliance standards can be built into the system, but we’ve already set these up for our customers. These compliance checks can also be customized if you want to add rules that are unique to your organization but fall within a specific domain, e.g., a best-practice for HIPAA compliance.
I should pause to mention that one of the reasons this functionality is so robust even though TRiA has only been on the market a short time is because TRiA started out as the tool we used in-house to manage our customers’ cloud environments. Last year, we put TRiA in the hands of these customers so they could see what we see. Just this spring, we also started offering TRiA as a separate license to organizations that want to manage their cloud environments themselves.
Related post: What is a Managed Cloud?
Back to TRiA. Each compliance pack is aggregated into a dashboard that the compliance manager can use to get a high-level view of compliance. These compliance packs are comprised of a series of what we call “insights,” so named because they give you specific insights into your environment based on that compliance standard. In the blue box within each compliance pack, you can see the number of insights it contains.
If you click on one of these packs, you can drill down into the details. In this example below, we clicked on the SOC 2 compliance pack.
Without going into this screen field by field, I’ll point out a couple of things the compliance managers in the audience have probably already noticed. First, we show which compliance rules the insight applies to. If your organization is still coming up to speed on a regulation or a specific rule, this information can be incredibly helpful. Of course, the most important information on this screen is undoubtedly the green and red circles that show which of these insights need attention.
To the far right of the screen, you can also see the number of resources this alert applies to. If I click on that, I can drill down to see which specific resources these are. If you have hundreds of resources under an insight, this additional information can significantly speed up resolution. (Creating resource groups using TRiA’s tagging functionality helps as well.)
As I’ve already alluded to, compliance managers in smaller organizations (and even some larger ones) often wear many hats. They probably don’t have the time to sit in front of the compliance dashboard all day long waiting for a resource to go out of compliance. That’s why we’ve built alerts into the system so that when one of these resources goes outside the acceptable range, they can receive this alert on their computer or mobile device.
Just as importantly, you can integrate TRiA alerts into your existing alerting and escalation tools. For example, if an unauthorized port is opened, exposing a system to the world, TRiA can send an alert to a tool like Pager Duty, ServiceNow, or Slack, alerting the appropriate teams and individuals to take action.
You can also take a more proactive stance by automating your response. An open port’s a pretty big deal, especially if it means you’re in non-compliance with a regulation like HIPAA or PCI. When regulators assess non-compliance complaints, one of the elements they look at is how long it takes the organization to respond to a known incident. Automating your response can help you clean up issues immediately.
As I’ve noted, compliance is only one aspect of governance, but it is a big one. You can also apply these same types of concept to areas like security, performance, resource utilization, and more.